Bug 112653

Summary: Crash in Document::setFocusedNode if the frame of new focused node is detached in 'change' event handler
Product: WebKit Reporter: Kent Tamura <tkent>
Component: DOMAssignee: Kent Tamura <tkent>
Status: RESOLVED FIXED    
Severity: Normal CC: aroben, darin, dglazkov, jonlee, morrita, webkit.review.bot
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Kent Tamura
Reported 2013-03-18 21:11:02 PDT
https://code.google.com/p/chromium/issues/detail?id=201134 Reduction: <div> <input value="foo"></input> <iframe frameborder="0" id="input" height="100" width="540" srcdoc="&lt;input autofocus>"></iframe> </div> <script> addEventListener("change", function(e) { document.body.appendChild(document.getElementById("input")); document.body.appendChild(document.createTextNode("PASS")); }, false); </script> 1. Open the above document 2. Click on the left input field 3. Modify it 4. Click on the right input field --> Crash by null pointer deference
Attachments
Patch (3.88 KB, patch)
2013-03-18 21:54 PDT, Kent Tamura 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Kent Tamura
Comment 1 2013-03-18 21:54:30 PDT
Created attachment 193724 [details] Patch
WebKit Review Bot
Comment 2 2013-03-20 15:01:01 PDT
Comment on attachment 193724 [details] Patch Clearing flags on attachment: 193724 Committed r146393: <http://trac.webkit.org/changeset/146393>
WebKit Review Bot
Comment 3 2013-03-20 15:01:05 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.